-->> Traffic is already slow enough when a router is unstable because it may -->> not know how to get to the destination, but if you throw in the -->> requirement that it has to know how to get to the source as well, didn't -->> you just help the hacker by shutting down service for lots of people? -->How? I can't understand how this helps the hackers. --> -->Through you are right in case of Universities (and it's not secret just universities -->are the motherland of the hackers -:)). -->--- In order for your idea to work, the router where you're doing the filtering must know how to get to all destinations on the Internet, must not have a default network or route, and they must be symetrical. As far as your other statement, when an instability occurs, all traffic starts getting slow because the routers are trying to reroute around a flapping t3 or whatever caused the outage. Since the whole point around a denial of service attack is to deny service, by adding in the fact that we need to know how to get to the source address before we forward the packet introduces more problems. I think you would find this hurts more than it helps. Even if you limit this kind of lookups to when the packet happens to be a TCP packet with the syn option, you still have a problem in establishing a connection. This creates frustration on the part of the end user. -- ------------------------------------------- | Jeremy Hall Network Engineer | | ISDN-Net, Inc Office +1-615-371-1625 | | Nashville, TN and the southeast USA | | jhall@isdn.net Pager +1-615-702-0750 | -------------------------------------------